How Hadassah University Hospital's "no" to BYOD later turned into "yes"

More and more doctors, nurses and other medical staff in hospitals are striving to bring their personal smartphones and tablet computers to use in their workplaces. Credit:Flickr by j.reed

Five years ago, many of Hadassah University Hospital's 7,000 employees started asking if they could start using their personal laptop computers in their jobs. Initially, the answer was a firm "no" due to security concerns involving the institution's network and sensitive patient information.

But the pressure from many doctors and other workers continued, until finally in mid-2009 Hadassah brought in a potent network security application that allows deep protection of the hospital's network while giving employees some freedom and flexibility to use their laptops.

Of course, the Bring Your Own Device discussion didn't end there. Shortly after the laptops were permitted, hundreds of doctors and employees began bringing in other personal devices, including smartphones and tablet computers, and asking if they could use them for work as well.

At first, the hospital network completely blocked network access to the additional devices. But soon the tide turned and the IT staff started looking at ways to use their recently acquired network security system to allow more personal devices to be used without putting the network and data in jeopardy.

"It was chaos," said Barak Shrefler, the Chief Information Security Officer (CISO) for the Jerusalem, Israel-based hospital system. "When hundreds of people bring them in you start to ask whether maybe you can find a way to do it without risking your security and information."

So why the change of heart? Because despite the fact that more personal devices inside the network certainly would complicate data security, there was no arguing with how much more productive and efficient doctors, nurses, and administrative staff members could be if they could get needed information on their personal devices, wherever they were located.

But getting there wasn't easy. It took a lot of discussions about security and policies with hospital executives and employees before it finally came to pass.

"We talked to management five years ago about 'how do we manage all of this?'" said Shrefler. "At first they asked a lot of questions, about what are the risks and why. We did presentations about how different organizations were planning to attack this situation."

After about 18 months, the IT team received the OK to deploy a network access control system.

The IT team reviewed products from three vendors – ForeScout, Juniper Networks and a local vendor in Israel – before selecting ForeScout's CounterACT appliances, which allows agentless control of devices down to their individual features, such as turning off built-in cameras and screen captures. Today, the application not only watches over tablets, smartphones, PCs and laptops but also a wide range of other devices, including imaging machines, blood pressure systems and CT scanners.

Using CounterACT, Hadassah's IT staff can see and control every device on the network, according to Shrefler. What's more, each device is identified with a unique "fingerprint" that permits the assignment of specific use policies for each device and user, giving the hospital system the control it was seeking.

"Even if you brought your own devices in, it didn't mean that you can do everything with them," said Shrefler. "We changed permissions on the devices, which some workers objected to initially."

Those objections softened over time as employees gained more understanding about the hospital system's security concerns and responsibilities through dozens of informational meetings and security workshops, said Shrefler. "Now they pretty much understand that they don't want to do something that would endanger the security of Hadassah."

For employees, some controls are better than not having any access to the network at all with their personal devices, he said.

They also got a lot of employee pushback in another area: employees didn't think that the hospital network should be allowed to control their personal data on the devices, including their photographs and contacts.

"A phone is a more personal device," said Shrefler. "It's something you use and travel with every day. Employees started asking more questions, such as could we read their emails and personal text messages. When they saw we are not doing that, and when the legal department also explained it to them, they were quite OK with that."

Shrefler also gave them his personal assurances. "I told them that the only thing I care about on their devices is the applications and the Hadassah data, that's it," he said. "I told them that it's their own privacy and we're not going to invade their privacy. The users were satisfied with that."

It's been so effective and disarming that employees now typically contact the IT department's help desk before buying new personal devices to be sure that the IT staff will be able to support them using CounterACT, said Shrefler. "It makes enforcing policies effortless,” he said.

Along the way, Shrefler learned some important lessons that he can pass along to other organizations in the same boat.

First, be absolutely sure that you clearly and often talk to the people who will be affected and explain exactly what you are doing and why, he said. "We were open and we wanted to hear what people wanted to say."

Second, explain why network and data security are vitally important for your organization, he said. "They learned that it was not being done against them but we showed them how it could allow them to bring in their personal devices for work and make their lives much easier. With this kind of attitude, employees will understand. If you say 'no' to letting them bring in their devices, they will find a way to bypass you."

Third, be responsive and respectful, said Shrefler.

"I think our users are happy," he said. "They don't want to carry a lot of devices when one will do. They want as few devices as possible and to do more and to be productive. We agree with that concept."

So far, about 1,000 doctors and other workers are safely using their own devices inside the network, with the number expected to at least double in 2013, Shrefler said. Some doctors are even using tablets with apps for their email as they make their rounds in the hospital. Another 300 employees are using a medical records application in production to work with it before it is deployed to a larger number of users. They're also working on an iPad app for use by doctors and other healthcare workers.

Join the discussion
Be the first to comment on this article. Our Commenting Policies